Hello, In Juniper SRXes and Netscreen firewalls one defines security policies (firewall rules) according to a "from" security zone, and a "to" security zone. Rules within each "from-to" combo can then focus on allowing or blocking individual IP subnets if required.
In Linux, the FORWARD chain is used for all traffic traversing the firewall and not destined for it. The firewall chain allows the administrator to filter based on incoming interface *and* outgoing interface. In an OpenBSD pf rule however, a rule only references a single interface and a direction (in, out). I am looking to define firewall policies on OpenBSD where I can enforce something like "all traffic from lab01 to lab02 is allowed by default, but all traffic from lab02 to to lab01 is denied by default". In this case lab01 and lab02 are bound to different interfaces (obviously), but behind each interface is another router to which are attached a changing number of subnets, so I want to avoid having to update subnet lists in my pf rules constantly. This situation would be simple to deal with in Juniper/Netscreen or Linux, but I'm having a hard time figuring out how to achieve a similar result in pf. I thought about passing all traffic on ingress on the lab01 and lab02 interfaces, tagging that traffic with a "from_lab0x" tag, and then having outbound rules take action based on the relevant interface and tag, like so: lab01 = em1 lab02 = em2 set state-policy if-bound block pass in on $lab01 tag from_lab01 pass in on $lab02 tag from_lab02 pass in on $lab02 tagged from_lab01 block out on $lab01 tagged from_lab02 Does this look like it makes sense? Is using an 'if-bound' state-policy ill-advised? Are there any obvious problems with this method? If so, is there a better way to achieve my goal? Thanks, -Martin
